Intel plugs Active Management Technology security hole


— 4:02 PM on May 5, 2017

Over the past few days, some scary stories have been circulating the internet regarding a privilege escalation vulnerability in Intel's Active Management Technology suite, which provides out-of-band management capabilities—or hardware-based remote control of certain PC features—over a network, even when a PC is turned off. According to Google security developer Matthew Garrett, vulnerable systems that are set up to use AMT and have the feature provisioned by an organization could give an attacker serial console access, allow for arbitrary code execution in the operating system's kernel, or provide a way to boot a hostile operating system over a network.

One of the headaches with this vulnerability is figuring out which systems are actually affected. According to Intel, only systems with support for its Active Management Technology, Intel Standard Manageability, and the now-defunct Intel Small Business Technology features have the prerequisites to get owned by the bug. Those technologies are a part of the vPro technology suite for businesses.

Furthermore, those systems would have to be provisioned by a system administrator (i.e. set up) to use AMT, ISM, or SBT for the vulnerability to be exploited remotely. A separate but related vulnerability would allow an attacker to provision an affected system locally and gain privileges on that system, but rule of thumb: once an attacker has local access to your PC, all bets are off anyway.

If you're a regular Joe or Jane, there's probably little reason to worry about this exploit on your home PC. Intel's P-series, B-series, H-series, and Z-series consumer chipsets aren't compatible with these remote management features, so they could never be provisioned for remote management in the first place. As far as we're aware, one would need a Q-series motherboard (or other business-friendly chipsets) to be vulnerable to the local provisioning exploit to begin with, and only business PCs that are already provisioned for Intel AMT can be taken advantage of over the network. If you're in a large corporation's IT department, however, we feel for you.

With that baseline established, we can look at what is vulnerable. Intel says versions of its manageability firmware ranging back to version 6.0.x are affected. That firmware is associated with AMT-ready versions of Intel's 5-series motherboards, which hosted Lynnfield and Clarkdale Core CPUs back in 2009. The vulnerability is present in all management firmware ranging up to that of the Q270 chipset that can underpin Skylake and Kaby Lake chips. Here's a listing of the vulnerable firmware versions and the updated version that removes the vulnerability for each chipset:

PC and component manufacturers are responsible for making these firmware updates available, however, so if a particular OEM is slow to act (or never acts, as the case may be for some older systems), Intel has released a guide users can follow to mitigate the vulnerability on their own. Intel has also released a detection guide and software tool to help IT pros determine whether their systems are vulnerable.

The vulnerability was discovered by embedded device security company Embedi. The researchers there have published a whitepaper detailing the exact cause of the bug for those who want the nitty-gritty. If you're a system administrator who uses Intel's AMT or similar technologies with your PCs, we'd be auditing those systems ASAP.

Tip: You can use the A/Z keys to walk threads.
View options